18702 North Creek Pkwy. #208Loading
Volume 3, Issue 1 - January, 2008 - © 2009 by Moose Logic, All Rights Reserved
Cover Story: 10 Easy Ways To Eliminate E-mail Overload
A Primer on Digital Certificates
How To Safely Dispose Of Old Computers
Thank You!!!
Moose Logic Coming Events
(Moose Views is a monthly newsletter prepared by Moose Logic to bring you information and tips on maintaining a trouble-free network)
10 Easy Ways To Eliminate E-mail Overload
E-mail driving you crazy? Every time you delete one, do five more show up? Are you finding it impossible to
answer every e-mail you receive? If you answered “yes” to any of these questions, you’re not alone!
Some people are even declaring e-mail bankruptcy — they dump every e-mail in their inbox and start over. If that’s not an option for you, then here are 10 tips to reduce e-mail overload.
- Get a good spam filter. Even if it saves you just 10 minutes a day, that adds up to over 59 hours a year. (We can help with that, by the way.)
- Cancel subscriptions to unwanted mailing lists, and opt-out of LEGITIMATE e-zines. But be careful! Trying to opt-out of spam e-mails will only alert the sender that they have a LIVE address. Also, make sure you are careful to check the “unsubscribe” or “opt-out” box when purchasing items online
- Ask your friends to remove you from joke groups or chain messages. Simply explain your situation and, if they are good friends, they’ll take you out of their message group.
- Don’t post or publish your e-mail on web sites. Spammers will steal it and put it on their lists.
- Don’t respond to every e-mail you receive. Yes, it’s okay NOT to respond to some e-mails. If it’s a group e-mail, don’t respond with “okay” or “:)” — it’s not necessary unless the sender is specifically asking you a question or requesting a response.
- Be succinct. Restrict your messages to a few sentences. If you can’t, pick up the phone or talk in person. This will avoid the back-and-forth of e-mail conversation.
- Take advantage of subject lines. If possible, put your question in the subject line, or your message. If that’s not possible, make your subject line very descriptive so the recipient knows what your message is about. Here’s another tip; create a set of codes with your coworkers and place them in the subject line to help them process and prioritize messages. For example, use “FYI” for informational messages. Use “AR” for action required and “URG” for urgent messages.
- Block time to answer your e-mail and fight the temptation to check your e-mail every few minutes. You will save yourself a lot of time and be far more productive.
- Respond to messages when you open them so you only read them once. If the e-mail requires an action step, schedule the action step and delete it from your inbox.
- Set time aside in the morning and the evening to process your inbox. Shoot for a completely empty inbox. File messages you need to keep and set reminders for messages that require you to follow up.
- Be courteous when forwarding an e-mail: summarize the thread and why you are sending it at the top of the e-mail.
- Don’t copy someone on a message unless it is necessary. And explain why you’re copying them. Recipients won’t need to guess your intentions. This means less back and forth messages.
A Primer on Digital Certificates
Ever wonder what SSL Certificates are all about? Here’s (hopefully) a layman’s view of the subject:First, we need to talk a bit about data encryption. There are basically two broad classes of encryption:
- Shared Key. Here the same encryption key is used to both encrypt and decrypt a message. Therefore both sender and receiver need to know what it is.
- Key Pairs. An encryption system where anything that is encrypted by one key of the key pair can only be decrypted with the other.
Key pairs are usually implemented in a “Public Key Infrastructure,” or “PKI,” where one key is made public, and the other is kept private. If you know my public key, you can use it to encrypt a message that only I can decrypt (assuming that I’ve taken proper precautions to protect my private key). Likewise, if I encrypt something with my private key, anyone who has my public key can decrypt it. What good is that? Well, it’s a kind of digital signature—because if you can properly decrypt a message using my public key, you can be pretty sure that I’m the only one who could have sent it.
The easiest way to implement a signature like this would be for me to send you a message that had, appended to it, a “hash value” of the message contents that was encrypted with my private key. A “hash value” is generated by a mathematical process that is not reversible, in other words, you can’t work backwards from the result and figure out what values were used in the calculation. One very common algorithm for generating hash values, and one that is often used to sign SSL certificates, is called “sha1,” and your PC already knows about it.
So your PC could calculate the sha1 hash value of the message, and compare it with the decrypted hash value I sent with the message. If they match, you know that the message hasn’t been tampered with (because it is, for all practical purposes, impossible to alter the message without altering the hash value), and you know that I sent it.
If you think for a moment, though, you’ll realize that this kind of digital signature can only be trusted to the degree that you trust that you know what my public key really is. So how do you know that? Well, I could put it on a USB drive and physically hand it to you. Or, I could give it to a third party that we both trust, and that person could give it to you. Or, I could email you a certificate containing my public key.
The certificate is basically a text file that consists of several things:
- A statement of what the certificate is for, e.g., to digitally sign a document, or secure a Web site.
- Identification of who issued the certificate.
- An expiration date.
- My public key.
- A statement of what hash algorithm is being used to sign the certificate (e.g., sha1).
- A “thumbprint” that consists of the results of a hash operation on the contents of the certificate, encrypted with the private key of the entity that issued the certificate.
“But wait!” you say, “How do I know the public key of the entity that issued the certificate?” Ah, now we get down to it. If we’re talking about a certificate that is issued by a big public “Certificate Authority,” or “CA,” like Verisign, your computer knows because their “root” certificate (which contains their public key) was built into your Operating System by Microsoft!
If you open, for example, Internet Explorer, click on the “Tools” menu, and choose “Internet Options,” then click on the “Content” tab, you’ll see a button that says “Certificates.” Click that button, and another window will open that will let you view all the certificates that your computer knows about. One of the tabs will say “Trusted Root Certification Authorities.” And among the certificates you find listed there will be Verisign’s.
So I could purchase a certificate from Verisign (or some other public CA), and, so long as that CA’s root certificate is in your trusted root certificate store, I can send you that certificate, and your PC will trust that it accurately represents my public key, and you can then use it to authenticate my digital signature.
So how is this used in the real world? Consider electronic banking. When I connect to the Wells Fargo banking site, I need to know two things. First, I need to know that the Web server I’m talking to is really a Wells Fargo server. Second, I need to know what that server’s public key is—because my browser is going to use that public key to send the server an encrypted message that can only be decrypted using its private key, and that encrypted message is going to tell the server what shared key my PC wants to use for the remainder of my banking session. (The server won’t care what shared key we use, so it will agree to whatever shared key my browser proposes to use.)
This will be accomplished by the SSL certificate that the Wells Fargo server presents to my browser when I connect to it. I can view the contents of that certificate if I want by clicking on the padlock icon in my browser. (In IE v7, it’s at the end of the address bar. In previous versions, it was in the lower right corner of the browser window.)
If I view the Wells Fargo certificate, I will see that, sure enough, it was issued by Verisign. Why? Because, even though a Verisign certificate is probably the most expensive you can buy, it’s also probably the most universally accepted. It was issued to “www.wellsfargo.com,” for the purpose of proving the identity of the server. It also contains that server’s public key, so my browser can use it to negotiate a secure session.
The same thing will happen when, for example, you connect to your own Outlook Web Access server, using whatever SSL certificate you have put on that server. You could use a certificate issued by your own Windows Active Directory, and it would be accepted by any PC that is a member of the Domain, because as part of the process of joining a PC to a Domain, the Domain’s root certificate is pushed down to the computer.
But what about accessing OWA from your home PC? Or from a hotel business center? If the computer you’re using doesn’t contain the root certificate, the connection will fail. If we’re talking about your home PC, we may be able to manually add the root certificate to its certificate store, but you won’t be able to do that with the PC in the hotel business center. So you’re probably going to want to use a certificate from a public CA.
Things really get tricky when we start trying to set up mobile phone access. Windows Mobile powered devices synch with Exchange by connecting to the same URL that you use for OWA. So your Windows Mobile phone also must contain the trusted root certificate that corresponds to the certificate presented by your OWA server.
But, because storage is limited, the root certificate store on a Windows Mobile phone doesn’t contain as many certificates as your PC. And some phones, from some carriers, are locked, such that you can’t add root certificates to them. So don’t assume that the cheapest certificate you can find will work with all the cell phones your employees buy. A more widely accepted certificate may cost you more, but avoiding certificate hassles is well worth the extra money!
How To Safely Dispose Of Old Computers
With the new year upon us, many of you may have upgraded your old PCs for shiny new ones. So what should you do
about that old PC left over?
Whatever you do, don’t just throw it into a dumpster! Not only is it an environmental hazard you could be fined for, but you also don’t want complete strangers getting access to your old files, passwords, financial information, and e-mails.
First, keep your old PC around for a few months until you are absolutely certain that you transferred all of the files and programs you needed to your new PC.
Next, you need to make sure the hard drive is wiped clean of any data you had stored on it — and simply deleting the files is not enough. We recommend you seek professional help in clearing the hard drive from any old PCs you are disposing of.
Finally, you may consider donating your old PCs to a charity such as Youth for Technology (youthfortechnology.org) or Computers With Causes (www.computerswithcauses.org). Many of these organizations will clean your hard drive to prevent identity theft, and you can write off the donation on your taxes!
